From: Radoslav Vasilev (deckland@gmail.com)
Date: Thu Sep 21 2006 - 17:05:28 ART
I missed your point in the original post...
Apart from use-bia option, what you're trying to do is to for static
secure MAC address the virtual mac-address. I don't think this is
possible as by definition security violation would occur if a secure
mac address is re-learnt on another port - something that would happen
if the active HSRP router is changed.
Using the combination of use-bia, max-address one per port and sticky
secure mac-addresses seems to be the best solution i can think of.
Rado
On 9/21/06, Tony Paterra <apaterra@gmail.com> wrote:
> I understand that you can do it manually by clearing the port-security
> entries and bouncing the interface, but this defeats the purpose of
> HSRP for fault-tolerant routing and gateway services... Any way to do
> this seamlessly?
>
> On 9/21/06, Radoslav Vasilev <deckland@gmail.com> wrote:
> > Hi Tony,
> >
> > Rack1SW1(config-if)#switchport port-security mac-address 0015.c678.6a98
> > Found duplicate mac-address 0015.c678.6a98.
> >
> > Rack1SW1(config-if)#do clear mac-addr dynamic
> > Rack1SW1(config-if)#switchport port-security mac-address 0015.c678.6a98
> >
> > interface GigabitEthernet1/0/6
> > switchport access vlan 5
> > switchport mode access
> > switchport port-security
> > switchport port-security mac-address 0015.c678.6a98
> > shutdown
> >
> > Rack1SW1(config)#int gi 1/0/6
> > Rack1SW1(config-if)#no shu
> > Rack1SW1(config-if)#no shutdown
> >
> >
> > On 9/21/06, Tony Paterra <apaterra@gmail.com> wrote:
> > > I was playing with a lab and came across one of those dependant
> > > "gotchas" with HSRP and port-security. I'm trying to minimize the
> > > number of port-security mac-addresses on the switch and still enable
> > > HSRP to function properly.
> > >
> > > 2 questions...
> > >
> > > 1.) I am unable to allow the virtual mac-address on both switchports
> > > as it gives me an error... How can I account for the Active router
> > > going down and the Standby picking it up?
> > >
> > > SW1#
> > > interface GigabitEthernet0/1
> > > switchport access vlan 99
> > > switchport mode access
> > > switchport port-security maximum 2
> > > switchport port-security
> > > switchport port-security mac-address <virtual mac-address>
> > >
> > > interface GigabitEthernet0/2
> > > switchport access vlan 99
> > > switchport mode access
> > > switchport port-security maximum 2
> > > switchport port-security
> > > switchport port-security mac-address <virtual mac-address>
> > >
> > > ERROR: Found duplicate mac-address 0000.0c07.ac01.
> > >
> > >
> > > 2.) Outside of use-bia, is there something I'm missing here? The
> > > best way I see to do this is to put static allow's in for the BIA on
> > > the interfaces and one sticky for the virtual. Should I be playing
> > > with the timers for port-security or mac-address-table aging?
> > >
> > >
> > > Thanks in advance,
> > > --
> > > Tony Paterra
> > > apaterra@gmail.com
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> >
>
>
> --
> Tony Paterra
> apaterra@gmail.com
This archive was generated by hypermail 2.1.4 : Sun Oct 01 2006 - 16:55:41 ART